Regex - Spamfilter - False Positive?

Darvocet · Post by **Darvocet** » Wed Mar 23, 2005 6:53 pm

Recieved a complaint this morning that some DCC sends were blocked between 2 specific users. Spamfilter seems to have blocked the sends.

-nightcrow.se.eu.epicirc.net- DCC to xxUSERxx blocked: Infected by Gaggle worm
-nightcrow.se.eu.epicirc.net- *** You have been blocked from sending files, reconnect to regain permission to send files

Of course this is in the spamfilter as:

spamfilter {
regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
target dcc;
action block;
reason "Infected by Gaggle worm?";
};

Now, I am not good with regex, so sorry that I have to ask somewhat simple questions here... How could this spamfilter be blocking files. What exactially is it looking for? User test sending test.txt are blocked. User has virusscanned with updated Norton 2005, so Im just not POSITIVE that anyone is infected.

Any help is appreciated.

Darv.

Dukat · Post by **Dukat** » Wed Mar 23, 2005 6:57 pm

http://forums.unrealircd.com/viewtopic.php?t=1723

Darvocet · Post by **Darvocet** » Wed Mar 23, 2005 6:59 pm

Dukat wrote:http://forums.unrealircd.com/viewtopic.php?t=1723

doh. thank you dukat.

Darvocet · Post by **Darvocet** » Wed Mar 23, 2005 7:07 pm

Dukat wrote:http://forums.unrealircd.com/viewtopic.php?t=1723

Ok that post OBVIOUSLY is my problem but is WAY over my head. It implies that // needs to be ////. All of them?

regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";

is what I show in spamfilter.conf

Does it want

regex "C:\\\\WINNT\\\\system32\\\\[][0-9a-z_-{|}`]+\.zip";
?

Stealth · Post by **Stealth** » Wed Mar 23, 2005 7:09 pm

That and the regex is entirely messed up...

What are you trying to block?

Darvocet · Post by **Darvocet** » Wed Mar 23, 2005 7:13 pm

Stealth wrote:That and the regex is entirely messed up...

What are you trying to block?

Well I wasnt trying to block anything, recieved a false positive on the 'Gaggle' entry in the spamfilter.conf. I realize that I could just remove that and make it work, but I would rather working spamfilters

Stealth · Post by **Stealth** » Wed Mar 23, 2005 7:21 pm

Get the fix from CVS:
http://cvs.ircsystems.net/cgi/viewcvs.c ... l3_2_fixes

Darvocet · Post by **Darvocet** » Wed Mar 23, 2005 7:26 pm

Stealth wrote:Get the fix from CVS:
http://cvs.ircsystems.net/cgi/viewcvs.c ... l3_2_fixes

Thank you very much stealth!!!!

Have a merry christmas.

PS. I woulda just logged into the irc network for help, but DNS for irc.unrealircd.com is down.

In case nobody notices yet.